Amavis does. I suggest you read up on https://wiki.zimbra.com/wiki/Anti-spam_Strategies. However, none of this applies to the case of someone who has hacked one of your users and is using your server to send out spam. For that, you need to monitor the postfix logs in /var/log/zimbra.log and find the spammer and the user they've hacked, and then fix things from there.TitusI wrote:Following your suggestion on other thread and reading the suggested resource I've mitigated the SPAM problem:quanah wrote:Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.TitusI wrote:I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.
How can I understand if my zimbra is using DSPAM or Spammassasin or all together?
I hope this explanation help.
Regards,
Quanah
test:
zmlocalconfig antispam_enable_rule_updates
RES:antispam_enable_rule_updates = false
zmlocalconfig antispam_enable_restarts
RES:antispam_enable_restarts = false
Setting:
zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmlocalconfig -e antispam_enable_rule_compilation=true
zmamavisdctl restart
zmmtactl restart
But I would like to kno who is doing the job? DSPAM or Spammassassin?
ps aux|grep -i spam
gave 0 output
Brute force attack & SPAM configuration
Re: Brute force attack
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
-
- Posts: 30
- Joined: Fri Apr 15, 2016 2:54 pm
- ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201
Re: Brute force attack & SPAM configuration
I'm still not cpable to kno the Ip of the attacker...in log I only see my own server IP.
qtp509886383-501971:https://my.server.wan.ip:7071/service/admin/soap/]
If I activete the admin login it suddenly go lockout again due to a lot of failed access...from WHO?
On another server, they do the same job,and now the service for the web admin console
zimbra webapp Running
zimbraAdmin webapp Running
zimlet webapp Running
doesent start ang give me a 404.
If I give a zmcontrol restart nothing change, there are no stale pid (as far as I can see) how can I start them one by one?
qtp509886383-501971:https://my.server.wan.ip:7071/service/admin/soap/]
If I activete the admin login it suddenly go lockout again due to a lot of failed access...from WHO?
On another server, they do the same job,and now the service for the web admin console
zimbra webapp Running
zimbraAdmin webapp Running
zimlet webapp Running
doesent start ang give me a 404.
If I give a zmcontrol restart nothing change, there are no stale pid (as far as I can see) how can I start them one by one?
-
- Advanced member
- Posts: 52
- Joined: Sat Sep 13, 2014 1:36 am
Re: Brute force attack & SPAM configuration
Fail2ban does not work, i am recieving more than a million of ip trying to auth to my accounts each time from several ip so if i block them it does nothing next time the attempt comes from another ip.
Do you know any other move to avoid this kind of attacks?
Many of my accounts are being autolock and it does not work changing the pass, it get lock or steal by the spammer attacker. The pass are not easy and nor random, they are big phrases and out of dictionary data.
Any recomendation? fail2ban is good for simples attacks from same ip, but when the attacker has more than a million of ip? What kind of step can be implemented in this situation?
Do you know any other move to avoid this kind of attacks?
Many of my accounts are being autolock and it does not work changing the pass, it get lock or steal by the spammer attacker. The pass are not easy and nor random, they are big phrases and out of dictionary data.
Any recomendation? fail2ban is good for simples attacks from same ip, but when the attacker has more than a million of ip? What kind of step can be implemented in this situation?
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: Brute force attack & SPAM configuration
Your problem seems a little weird. More precisely this:
"Many of my accounts are being autolock and it does not work changing the pass, it get lock or steal by the spammer attacker. The pass are not easy and nor random, they are big phrases and out of dictionary data."
If this is the case, attackers are limited to 10 attempts each ten minutes and if they lockdown the account they will have a 1hr time to cool off their attack (in default configuration), which makes really difficult for an attacker to "brute force" a password like the one you are describing. Could it be that their computers are infected with a keylogger or similar? Could it be that you are using an external LDAP for authentication with "fail to local auth" option enabled? and thus changing the user password in the external ldap but not doing it in the zimbra openldap?
To fight against attacks, basically the only things I am aware of are:
- fail2ban
- DOS Filter
- Login policies via COS
"Many of my accounts are being autolock and it does not work changing the pass, it get lock or steal by the spammer attacker. The pass are not easy and nor random, they are big phrases and out of dictionary data."
If this is the case, attackers are limited to 10 attempts each ten minutes and if they lockdown the account they will have a 1hr time to cool off their attack (in default configuration), which makes really difficult for an attacker to "brute force" a password like the one you are describing. Could it be that their computers are infected with a keylogger or similar? Could it be that you are using an external LDAP for authentication with "fail to local auth" option enabled? and thus changing the user password in the external ldap but not doing it in the zimbra openldap?
To fight against attacks, basically the only things I am aware of are:
- fail2ban
- DOS Filter
- Login policies via COS
- zimico
- Outstanding Member
- Posts: 225
- Joined: Mon Nov 14, 2016 8:03 am
- Location: Vietnam
- ZCS/ZD Version: 8.8.15 P3
- Contact:
Re: Brute force attack & SPAM configuration
How do you know that hacker is using more than one million IPs?
Regards,
Regards,
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Brute force attack & SPAM configuration
One strategy here is to configure account lockout policies such that DoSFilter (or fail2ban) starts throttling/blocking requests before the mailbox is locked out.
In that way, a legitimate remote user will not be locked out by a hacker doing a fast-paced dictionary attack.
Hope that helps,
Mark
In that way, a legitimate remote user will not be locked out by a hacker doing a fast-paced dictionary attack.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
- zimico
- Outstanding Member
- Posts: 225
- Joined: Mon Nov 14, 2016 8:03 am
- Location: Vietnam
- ZCS/ZD Version: 8.8.15 P3
- Contact:
Re: Brute force attack & SPAM configuration
I tested DOSfilter and lockout policy. DOSfilter blocks bad IP but account is still locked out. Do you have the same issue Mark?L. Mark Stone wrote:One strategy here is to configure account lockout policies such that DoSFilter (or fail2ban) starts throttling/blocking requests before the mailbox is locked out.
In that way, a legitimate remote user will not be locked out by a hacker doing a fast-paced dictionary attack.
Hope that helps,
Mark
Best regards.
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Brute force attack & SPAM configuration
I do not have the same issue, because I configure DoSFilter to block the IP before the account is locked out -- assuming all the bad attempts come from one IP address. If it is a distributed attack from many IP addresses simultaneously, then yes, the mailbox will likely be locked out.zimico wrote:I tested DOSfilter and lockout policy. DOSfilter blocks bad IP but account is still locked out. Do you have the same issue Mark?L. Mark Stone wrote:One strategy here is to configure account lockout policies such that DoSFilter (or fail2ban) starts throttling/blocking requests before the mailbox is locked out.
In that way, a legitimate remote user will not be locked out by a hacker doing a fast-paced dictionary attack.
Hope that helps,
Mark
Best regards.
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: Brute force attack & SPAM configuration
Dear, I am following your recommendations and install fail2ban according to your instructions, but when I want to launch fail2ban I get the following:
Starting fail2ban: ERROR Error in action definition iptables-allports[name=Zimbra-account]
ERROR Errors in jail 'zimbra-account'. Skipping...
ERROR Error in action definition iptables-allports[name=Zimbra-audit]
ERROR Errors in jail 'zimbra-audit'. Skipping...
[FAILED]
please give me a hand regards.
Starting fail2ban: ERROR Error in action definition iptables-allports[name=Zimbra-account]
ERROR Errors in jail 'zimbra-account'. Skipping...
ERROR Error in action definition iptables-allports[name=Zimbra-audit]
ERROR Errors in jail 'zimbra-audit'. Skipping...
[FAILED]
please give me a hand regards.
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Brute force attack & SPAM configuration
You have errors in your fail2ban configuration files. If you use Google to search for "zimbra fail2ban" you'll get lots of hits with actual jail file suggestions.eowhinn wrote:Dear, I am following your recommendations and install fail2ban according to your instructions, but when I want to launch fail2ban I get the following:
Starting fail2ban: ERROR Error in action definition iptables-allports[name=Zimbra-account]
ERROR Errors in jail 'zimbra-account'. Skipping...
ERROR Error in action definition iptables-allports[name=Zimbra-audit]
ERROR Errors in jail 'zimbra-audit'. Skipping...
[FAILED]
please give me a hand regards.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate